If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Honeynet with Linksys Switch

A friend and I are about to set up a Honeynet to do a little original research on time-to-compromise various operating systems (compromise taking the forms of worms, viruses, script kidz, depending on the specific setup). We've done some research from the Honeynet project and their book, Know Your Enemy , but I do have a question you may be able to help with..

My setup currently involves a Linksys BEFSR41 switch. It uses NAT to run multiple PCs on a single DSL/Cable line - will this hinder my ability to place multiple honeypot computers on my local network?

I've got the option of setting a single IP address to the DMZ and expose it to the world, but then that would limit our work to a single computer/OS at time, and prevent us from gathering data relating to compromises across a single small network...

Has anyone any experience with something like this? If the switch is a no-go, is there another type of equipment I could use behind my broadband connection to expose multiple PCs at once?

What you need is to have the DMZ IP assigned to a second router, and then use that segment for the honeynet. Even better would be to configure it to act as a bridge, but that would require multiple IP's from your ISP.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

Using NAT isn't a big deal...it's not an issue. They will still be able to "see" the network.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

Your best bet is to use the DMZ and do a single PC at a time. Using NAT there's no way you can have more than one computer fully available to the outside world. This is going to adversely affect the results of your research. If you want a true representation you need them to have access to the entire machine not just certain ports.

You could modify that slightly and have all machines available but you will still end up with skewed results. If you were to use port forwarding you could have all open ports in the wild, however they would not line up with the standards.. For Example

The only problem with this is that most canned tools and scanners that skiddies use are set to the specific standard ports, so the only machine that would return accurate results is PC 1. However it would allow you to have all machines theoretically in the wild.

You said DSL/Cable line, which is it? I know around here you only get one IP with cable, but most of the DSL providers will give you up to 8 IPs, they just don't advertise it. If you have DSL, it's entirely possible that you have access to more than just your main IP. You could then connect your honeypot machines seperately and each one would return accurate results. This will also keep the traffic from interfering with your machines that aren't taking part in the honeynet.

I have to disagree with 576869746568617 on this one. The use of NAT is a huge deal for something like this, as it will skew the results. They will "see" that the network is there, but they won't have full access to the machines behind the NAT device. If you were the only ones testing the network then NAT would not play a role, however since I'm guessing you want valid IPs because you are taking these live on the net, you will need to find another solution other than NAT (multiple IP addresses, or one PC at a time).

One last thing to remember is to check with your ISP and see the terms of your AUP. Most ISPs frown on setting up honeypots and honeynets, it can bring a lot of unwanted and malicious traffic into servers and network. You don't want to risk losing your internet access in the name of research.

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

I agree, you should talk to your ISP. Also, If they have no policy on this type of thing, you may look at leasing a few additional IP addresses from them. If not, one at a time would be ok, but not exactly what we are looking for.

The results will not necessarily be skewed if you use NAT. Individual IPs are better, of course, but NAT will still work. The results depend on the logging capabilities of the router you use and the capabilities of the sniffer you use to monitor the subnet.

Remember, we are using two routers....one connected to the internet and one segmenting the honeynet, like this:

Size , packet type, source and destination ports, and header match in both logs. It's oversimplified, but i think you get the idea.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

As far as just capturing incoming packets, I agree completely, won't make that much of a difference. However, they want to do more than that. They want the box to be available to be hacked, the very idea of a honeypot/honeynet. One of the most appealing features of NAT is that a machine on the private side of the network is basically inaccessible to a machine on the public network, unless you've set up specific port forward rules or a DMZ. I demonstrated in my last post that port forwarding will skew the results because common script kiddie tools use specific ports. You'll see mass scans for port 139, or port 23, however if I have 3 PCs with those ports open, I can only forward the traffic inbound on those ports to one machine. I would have to do different external ports for forwarding to the other machines, this will skew the results because you won't get as many canned attacks. As for the DMZ, again you set-up the DMZ and you only have one host to work with. The results will be skewed for the other hosts.

I'm sitting here at the helpdesk right now. If I open up port 80 on this machine and put a vulnerable piece of code on it, that's not going to do any good to anyone outside the college. I have a private IP address and they could never make an HTTP request to my machine. I'd have to have the port forwarded (and unless it's port 80, the results are skewed).

I'm sorry for being repetetive... I'm just trying to get my point across,

Peace,
HT

[Edit]
Sure add stuff while I'm typing my reply

Anyways... even if you are using 2 routers, it's not going to affect the results. Setup two routers, the second one being the DMZ off the first one and then try and telnet to a machine behind the second one. You're going to tell me that three machines running a telnet server behind that second router will all respond back and I'll get 3 open telnet sessions, one to each machine? I'd love to see you prove that one.

[/Edit]

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

I'm going to have to do a trial run wuth a single machine at a time on the DMZ of the router. This will first allow me to test the packet capture and logging abilities, as well as get a feel for what kind of compromise I may be able to expect off the bat.

While true that a Honeynet in its purest definition would be a number of hosts on a compromisible network, that may not actually be the best setup for me since this is my first attempt. Proper configuration for my data capture and protection of any other machines (I'd be sore if I got locked out of my router) should be my first priority this time around..

The idea of multiple hosts behind a single IP is interesting, though. I'm assuming if an intruder did find the private network, they'd map out the subnet and go from there, yes?

(I'm trying to contain my excitment on this project.. I find these nefarious activities so interesting)

l00p

AND &gt;&gt; thanks for the point on the ISP. I'll have to page through my policy to see what they say.. considering the amount of noise broadcasting around the network these days, I doubt they'd notice much in my neck of the woods. I'm going to have to dig me up some software to limit outgoing connections per day and/or bandwidth coming from my honeypot PC. I don't want to be party to a DDoS or spamming to someone else...

I doubt they'd notice much in my neck of the woods. I'm going to have to dig me up some software to limit outgoing connections per day and/or bandwidth coming from my honeypot PC. I don't want to be party to a DDoS or spamming to someone else...

I purchased the books Honeypots and Know your enemy. They include perl scripts to do this on the CDs that accompany the books. If you don't have the CDs, let me know. I'd be glad to compress them for you. Or, I'm sure you can find them online already...

Also, a couple of members here have written things such as fake smtp servers that would also be good. (I think in addicts forum?) I'd have to dig a bit... but there is quite a few scripts/toolz out there to control almost everything you could want to do.

Now that I think about it... they came with the honeypots cd. I have it at work. I can get them for you if you want. just PM me.

Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.